|
« God Save us From Journalists | Main | Five Things to Make You Smile »
September 23, 2004
Diebold Machines Easily Changed
by Kevin
This does not make me feel confidant:
The trick was uncovered by Herbert Thompson, director of security technology at Security Innovation and a teacher of computer security at the Florida Institute of Technology. Thompson has authored several nonfiction books on computer security and co-authored a new novel about hacking electronic voting systems called The Mezonic Agenda: Hacking the Presidency.
After Harris met Thompson at the Defcon hacker conference this year, she asked him to examine the GEMS program. He found he could write a five-line script in the Notepad text editor that would change the vote summaries in GEMS without changing the raw precinct data. The auditing log in GEMS wouldn't record the change because it only tracks changes that occur within GEMS, not changes that occur on the computer outside of GEMS.
After writing the script, Thompson saved it as a Visual Basic file (.vbs) and double-clicked it to execute it.
The command happens in the background where no one can see it. To verify that the changes occurred, Thompson could write another script to display the vote data in a message box after the change. Once the scripts finished their work, they would go into the Recycle Bin, where Thompson could delete them.
When Harris demonstrated the vulnerability to officials in California, she opened the GEMS program to show that the votes changed as the script commanded them to.
Frankly, based on the bits of code and the discussion around the system, I am surprised it took this long to find this kind of vulnerability. These systems are simply not secure in any meaningful way. They are poorly designed and poorly coded, and should not inspire confidence. Diebold claims that there are procedures in place to prevent that kind of manipulation, and that no one has ever broken the law. Seriously:
But speaking generally on the vulnerabilities Harris mentions, Diebold spokesman David Bear said by phone that no one would risk manipulating votes in an election because it's against the law and carries a heavy penalty. He also said that election "policies and procedures dictate that no (single) person has access or is in control of a (voting) system," so it would be impossible for anyone to change votes on a machine without others noticing it. And even if someone managed to change the votes, auditing procedures would detect it.
The problem, of course, is that people do break the law, and procedures are not always followed:
Jefferson, the Lawrence Livermore computer scientist, agreed that election procedures usually indicate that there should not be one person operating the counting software. He also agreed with Bear that officials could catch discrepancies in vote totals if they went back and manually added up the results from every individual polling place and compared the totals with the tallies in the summary report. But Jefferson said that election officials and poll workers don't always follow procedures. In the California March primary, he pointed out, several counties refused to follow procedures that were requested by the secretary of state's office and others failed to follow procedures that are mandated under California election law.
Now, there is always the matter of access. But it is common for Diebold employees to assist poll workers with the machines, and poll workers themselves have access to the machines. I cannot stress how simple this change would be, and how easily it could affect the vote. There are simply no real safeguards for preventing people with access to the machines from changing the results of the elections, and no real ability to tell that it has been done. It is simply inconceivable to me that these machines would be allowed anywhere near an election. Their design and implementation -- speaking as someone who codes and designs for a living -- is incredibly poor. I am literally struggling to find words to convey just how awful this design really is. "Inexcusable" and "bug-stupid" just don't do it justice. I cannot believe anyone approved this design -- literally, cannot believe that anyone with a day's worth of experience or an ounce of common sense thought this was an appropriate design. If these machines were toasters, they would not only set your house on fire the first time they were used, they would set your neighbors' houses on fire and disable all the phones so that no one could call the fire department.
Steve Gilliard is constantly pounding on the fact that no one needs to mess with the voting machines because voter intimidation tactics work so well. He is partly correct -- it is already obvious that voter suppression is beginning to stir. But voter suppression is hard, dirty work that leaves finger prints and trails of evidence. The kind of manipulation that is possible with these machines is almost undetectable. In a close election with poor polling models -- such as this one -- there will be very few outside clues to point fraud. If I wanted to steal an election, and I had a choice, I would prefer fixing these Diebold machines to trying to keep people away from the polls. It is quicker, more reliable, and less likely to be discovered.
Steve is right that the old-fashioned methods work well. But we cannot afford to ignore the more modern, high-tech fraud now possible. This vulnerability is a perfect example of the potential for fraud waiting at polling places all over the country.
TrackBack
| Other weblogs commenting on this post
Comments
I really love the 'nobody would do it because it's against the law' defense; apparently all those prisons are just figments of our imagination!
Posted by: Garnet on September 23, 2004 02:21 PM
Yeah, those "prisons of the mind", they're everywhere...
I think the Repubs are covering all their bases, too. In which state were they encouraging their own to vote absentee? Ohio, maybe? I think the idea is that, if there's a giant mess, THEY'LL have paper trails to prove how they voted -- "your side got no paper trail, well cry me a river, get over it, you lost...!"
Posted by: Jeff on September 24, 2004 11:52 AM
Post a comment
|
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
